GandCrab Swarm

Posted on 2018-04-17 by Pedram Amini

In early April of 2018 we noticed a spike in malicious activity, sourced mostly from the Asias and delivered via SMTP. This post covers our exploration of the campaign and the eventual realization that it is responsible for distributing a mix of garden variety malware, including GandCrab ransomware. If you've been infected, check out this free decrypter. For technical readers, check out @hasherezade's GandCrab IDA Python string deobfuscator utility on GitHub.

GandCrab Swarm

The campaign is far from stealthy, and we're certainly not the first to write about it. See the section further reading below for additional articles and utilities. We first noticed the campaign through a significant uptick in threats delivered via malicious e-mail attachment following the naming convention DOC[0-9]{10}.zip. Example file names include:

DOC1385624908.zip

DOC1614310849.zip

DOC2138630325.zip

DOC2229418534.zip

DOC3054722748.zip

...

In the cases we observed, the archive contained either a malicious macro dropper document or a malicious JavaScript file. We observed ~3,000 unique IP addresses that spanned across 427 ASNs (see appendix). Analyzing the source IPs of the campaign reveals a heavy slant toward the Asias. We're using the handy distribution utility here if you're curious:

Second Stage Payloads

The second-stage payloads were seen hosted on French, British, and Chinese servers (see appendix). In one case, a seemingly compromised China based shopping site (112[.]126.94.107). In another case, a seemingly fresh install of CentOS (185[.]189.58.222).

With the identification of a second stage payload host and the realization that the payloads follow a basic 1 to 3 character naming convention and are of one of the types: .exe, .doc, etc. We brute force crawled the limited space to unveil the following list of additional payloads. All are active as of the time of writing. On a side note, for more complex brute force patterns, we recommend checking out rexgen.